Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
Vero Zheng <vero.zheng@huawei.com> Fri, 18 April 2014 03:08 UTC
Return-Path: <vero.zheng@huawei.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04CD31A01E8 for <mpls@ietfa.amsl.com>; Thu, 17 Apr 2014 20:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.472
X-Spam-Level:
X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bQ4cEHgbz4O for <mpls@ietfa.amsl.com>; Thu, 17 Apr 2014 20:08:20 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 516671A00CB for <mpls@ietf.org>; Thu, 17 Apr 2014 20:08:18 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BFU69682; Fri, 18 Apr 2014 03:08:13 +0000 (GMT)
Received: from LHREML403-HUB.china.huawei.com (10.201.5.217) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 18 Apr 2014 04:06:31 +0100
Received: from SZXEMA403-HUB.china.huawei.com (10.82.72.35) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 18 Apr 2014 04:08:11 +0100
Received: from SZXEMA504-MBS.china.huawei.com ([169.254.8.15]) by SZXEMA403-HUB.china.huawei.com ([10.82.72.35]) with mapi id 14.03.0158.001; Fri, 18 Apr 2014 11:08:05 +0800
From: Vero Zheng <vero.zheng@huawei.com>
To: "adrian@olddog.co.uk" <adrian@olddog.co.uk>, 'Loa Andersson' <loa@pi.nu>, "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>
Thread-Topic: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
Thread-Index: AQHPWi4DA6B4NIA6W0uW6/7VuK7Yn5sVQgqAgAFuc0A=
Date: Fri, 18 Apr 2014 03:08:04 +0000
Message-ID: <2EEA459CD95CCB4988BFAFC0F2287B5C5C80DE98@SZXEMA504-MBS.china.huawei.com>
References: <002301cf5743$b1a74af0$14f5e0d0$@olddog.co.uk> <534FB734.2020005@pi.nu> <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk>
In-Reply-To: <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.115]
Content-Type: multipart/alternative; boundary="_000_2EEA459CD95CCB4988BFAFC0F2287B5C5C80DE98SZXEMA504MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/mpls/zorAZUf-eFXMYHud7ZfzuMkKRzM
Cc: "mpls@ietf.org" <mpls@ietf.org>
Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 03:08:25 -0000
> RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was adopted by KARP in June 2011. That derives from draft-mahesh-bgp-ldp-msdp-analysis first posted in February 2011 (note that the discussion of LDP Hellos didn't make it into this document until -01 in May2011). Adrian, That is not correct. The discussion of LDP Hellos was in the document from the very beginning. The hello spoofing was discussed in both the discussion on current state/optimal state of the protocols in -00. Obviously, the document authors care:) Cheers, Vero > -----Original Message----- > From: mpls [mailto:mpls-bounces@ietf.org] On Behalf Of Adrian Farrel > Sent: Thursday, April 17, 2014 9:09 PM > To: 'Loa Andersson'; draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org > Cc: mpls@ietf.org > Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth > > Hello, > > I don't think that is the history at all! > This document started as draft-zheng-mpls-ldp-hello-crypto-auth in October > 2010. > Before that the issue with the Hello was discussed and batted around for a > while. > There is a risk with the Hello and it needs a solution. > No issue with that, and I support this draft. > > RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was > adopted by KARP in June 2011. That derives from > draft-mahesh-bgp-ldp-msdp-analysis first posted in February 2011 (note that > the discussion of LDP Hellos didn't make it into this document until -01 in May > 2011). > > But who cares? > > RFC 6952 does not describe the attacks or their mitigations. It just notes that > spoofing a Hello can have some bad effects. > > As a deployer, I need help to explain when I need to insist on having this feature > implemented by my supplier (BTW, it looks like none of the suppliers is > implementing it) and when I need to enable it. It seems to me that this feature > is needed to protect against attacks (which 6952 claims have been seen in the > wild), but that those attacks only arise in specific situations. > > Since the security mechanisms defined in this document are pretty > heavy-weight (compare with simple text passwords so loved for IGP security :-) > it would be great to get some help on this topic. Are all networks always > exposed (if so it looks like a must-have feature)? Are the risks only significant > for targeted LDP? Is the network safe if it applies access controls at the edges > and assumes no subversion of routers? Does applying an access list at the LDP > speakers provide protection against everything except address spoofing? > > Cheers, > Adrian > > > -----Original Message----- > > From: Loa Andersson [mailto:loa@pi.nu] > > Sent: 17 April 2014 12:13 > > To: adrian@olddog.co.uk<mailto:adrian@olddog.co.uk>; > draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org<mailto:draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org> > > Cc: mpls@ietf.org<mailto:mpls@ietf.org> > > Subject: Re: AD review of draft-ietf-mpls-ldp-hello-crypto-auth > > > > Adrian, > > > > Given my limited understanding of the security mechanisms, I > > nevertheless have one question I need to ask. > > > > You say: > > > > On 2014-04-13 20:10, Adrian Farrel wrote: > > > It would help if the document was a > > > little clearer about which attacks it is defending against and why > > > normal protection at the edge of the network is not considered > > > enough for the > former, > > > and why a bad actor within the network would waste its time > > > attacking LDP > > when > > > there is so much else it can do! > > > > My understanding is that this document was written as a response to > > the risk analysis in RFC 6952. If I remember correctly you had a > > number of questions, but also said that you had no objections after > > having these question answered. > > > > Since RFC 6952 says we have a security hole that we need to close, you > > said that you approve of that, we tried to fill the hole; how should I > > understand the comment above? Do you just want another reference to > > RFC 6952? > > > > /Loa > > _______________________________________________ > mpls mailing list > mpls@ietf.org<mailto:mpls@ietf.org> > https://www.ietf.org/mailman/listinfo/mpls
- [mpls] AD review of draft-ietf-mpls-ldp-hello-cry… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Loa Andersson
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Loa Andersson
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Vero Zheng
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel